search

pawelmalak / flame

Flame is self-hosted startpage for your server. Easily manage your apps and bookmarks with built-in editors.
MIT License
5.25k stars 257 forks source link

Docker image with Node.js VULNERABILITIES #148

Open somera opened 2 years ago

somera commented 2 years ago

Please update.

2021-11-08T00:08:19.839Z        INFO    Detecting Alpine vulnerabilities...
2021-11-08T00:08:19.876Z        INFO    Number of language-specific files: 1
2021-11-08T00:08:19.876Z        INFO    Detecting node-pkg vulnerabilities...
2021-11-08T00:08:20.233Z        WARN    This OS version is no longer supported by the distribution: alpine 3.11.12
2021-11-08T00:08:20.233Z        WARN    The vulnerability detection may be insufficient because security updates are not provided

pawelmalak/flame:latest (alpine 3.11.12)
========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Node.js (node-pkg)
==================
Total: 18 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 18, CRITICAL: 0)

+------------+------------------+----------+-------------------+-----------------------------+---------------------------------------+
|  LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |        FIXED VERSION        |                 TITLE                 |
+------------+------------------+----------+-------------------+-----------------------------+---------------------------------------+
| ansi-regex | CVE-2021-3807    | HIGH     | 3.0.0             | 5.0.1, 6.0.1                | nodejs-ansi-regex: Regular            |
|            |                  |          |                   |                             | expression denial of service          |
|            |                  |          |                   |                             | (ReDoS) matching ANSI escape codes    |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3807  |
+            +                  +          +-------------------+                             +                                       +
|            |                  |          | 4.1.0             |                             |                                       |
|            |                  |          |                   |                             |                                       |
|            |                  |          |                   |                             |                                       |
|            |                  |          |                   |                             |                                       |
+            +                  +          +-------------------+                             +                                       +
|            |                  |          | 5.0.0             |                             |                                       |
|            |                  |          |                   |                             |                                       |
|            |                  |          |                   |                             |                                       |
|            |                  |          |                   |                             |                                       |
+------------+------------------+          +-------------------+-----------------------------+---------------------------------------+
| axios      | CVE-2021-3749    |          | 0.21.1            | 0.21.2                      | nodejs-axios: Regular expression      |
|            |                  |          |                   |                             | denial of service in trim function    |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3749  |
+------------+------------------+          +-------------------+-----------------------------+---------------------------------------+
| path-parse | CVE-2021-23343   |          | 1.0.6             | 1.0.7                       | nodejs-path-parse:                    |
|            |                  |          |                   |                             | ReDoS via splitDeviceRe,              |
|            |                  |          |                   |                             | splitTailRe and splitPathRe           |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-23343 |
+------------+------------------+          +-------------------+-----------------------------+---------------------------------------+
| tar        | CVE-2021-32803   |          | 2.2.2             | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink      |
|            |                  |          |                   |                             | protection allowing arbitrary         |
|            |                  |          |                   |                             | file creation and overwrite           |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32803 |
+            +------------------+          +                   +-----------------------------+---------------------------------------+
|            | CVE-2021-32804   |          |                   | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute     |
|            |                  |          |                   |                             | path sanitization allowing arbitrary  |
|            |                  |          |                   |                             | file creation and overwrite           |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32804 |
+            +------------------+          +                   +-----------------------------+---------------------------------------+
|            | CVE-2021-37701   |          |                   | 6.1.7, 5.0.8, 4.4.16        | nodejs-tar: insufficient symlink      |
|            |                  |          |                   |                             | protection due to directory cache     |
|            |                  |          |                   |                             | poisoning using symbolic links...     |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37701 |
+            +------------------+          +                   +-----------------------------+---------------------------------------+
|            | CVE-2021-37712   |          |                   | 6.1.9, 5.0.10, 4.4.18       | nodejs-tar: insufficient symlink      |
|            |                  |          |                   |                             | protection due to directory cache     |
|            |                  |          |                   |                             | poisoning using symbolic links...     |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37712 |
+            +------------------+          +                   +                             +---------------------------------------+
|            | CVE-2021-37713   |          |                   |                             | Arbitrary File Creation/Overwrite     |
|            |                  |          |                   |                             | on Windows via insufficient           |
|            |                  |          |                   |                             | relative path sanitization            |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37713 |
+            +------------------+          +-------------------+-----------------------------+---------------------------------------+
|            | CVE-2021-32803   |          | 4.4.13            | 6.1.2, 5.0.7, 4.4.15, 3.2.3 | nodejs-tar: Insufficient symlink      |
|            |                  |          |                   |                             | protection allowing arbitrary         |
|            |                  |          |                   |                             | file creation and overwrite           |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32803 |
+            +------------------+          +                   +-----------------------------+---------------------------------------+
|            | CVE-2021-32804   |          |                   | 6.1.1, 5.0.6, 4.4.14, 3.2.2 | nodejs-tar: Insufficient absolute     |
|            |                  |          |                   |                             | path sanitization allowing arbitrary  |
|            |                  |          |                   |                             | file creation and overwrite           |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-32804 |
+            +------------------+          +                   +-----------------------------+---------------------------------------+
|            | CVE-2021-37701   |          |                   | 6.1.7, 5.0.8, 4.4.16        | nodejs-tar: insufficient symlink      |
|            |                  |          |                   |                             | protection due to directory cache     |
|            |                  |          |                   |                             | poisoning using symbolic links...     |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37701 |
+            +------------------+          +                   +-----------------------------+---------------------------------------+
|            | CVE-2021-37712   |          |                   | 6.1.9, 5.0.10, 4.4.18       | nodejs-tar: insufficient symlink      |
|            |                  |          |                   |                             | protection due to directory cache     |
|            |                  |          |                   |                             | poisoning using symbolic links...     |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37712 |
+            +------------------+          +                   +                             +---------------------------------------+
|            | CVE-2021-37713   |          |                   |                             | Arbitrary File Creation/Overwrite     |
|            |                  |          |                   |                             | on Windows via insufficient           |
|            |                  |          |                   |                             | relative path sanitization            |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37713 |
+            +------------------+          +-------------------+                             +---------------------------------------+
|            | CVE-2021-37712   |          | 6.1.7             |                             | nodejs-tar: insufficient symlink      |
|            |                  |          |                   |                             | protection due to directory cache     |
|            |                  |          |                   |                             | poisoning using symbolic links...     |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37712 |
+            +------------------+          +                   +                             +---------------------------------------+
|            | CVE-2021-37713   |          |                   |                             | Arbitrary File Creation/Overwrite     |
|            |                  |          |                   |                             | on Windows via insufficient           |
|            |                  |          |                   |                             | relative path sanitization            |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-37713 |
+------------+------------------+          +-------------------+-----------------------------+---------------------------------------+
| validator  | CVE-2021-3765    |          | 10.11.0           | 13.7.0                      | Inefficient Regular Expression        |
|            |                  |          |                   |                             | Complexity in validator.js            |
|            |                  |          |                   |                             | -->avd.aquasec.com/nvd/cve-2021-3765  |
+------------+------------------+----------+-------------------+-----------------------------+---------------------------------------+
JaneJeon commented 2 years ago

For the author, the tool this person is using is called trivy.

Basically, you set up CI/CD and the occasional (e.g. daily/weekly) checks on your images to literally just to trivy scan $image and see if there's any vulnerabilities within your dependencies.

Combined with github's dependabot, which checks individual layers of Dockerfile to see if there's anything to be updated, once you "pin" dependencies in dockerfile, you'll be able to reproducibly create container images and have them up to date with the latest patches.

At least that's the theory (I understand that this is a pain in the ass to setup and in fact, I don't even do it for my own application containers lul).

How serious is this?

While Docker processes are supposed to be isolated, let's not kid ourselves: that layer of isolation has a LOT of goddamn holes in it. But you can't really "escape" process isolation (no matter how bad Docker is) when the process in dockerfile does NOT run as root user (because when you run as root user in docker container, and you run Docker daemon as root - which is the default, you can essentially think of your container process as running as root due to the said "holes" providing larger blast radius).

But, uh, you seem to be using the root user for your dockerfile: https://github.com/pawelmalak/flame/blob/master/.docker/Dockerfile

For reference, this is how you would do it "properly", running the process as a non-root user (and reaping any zombies, but that's a topic for another day): https://github.com/JaneJeon/blink/blob/master/Dockerfile#L42

So for the shorter term solution (to limit the "blast radius" to just inside your container), you should change your docker process to run as a non-root user (for all node-based images, there's the node user). That honestly should be enough to close this issue - after all, Docker's whole point is process isolation.

For the longer term solution, yeah, you should set up automated process with trivy & dependabot to ensure your image is secure and up to date, but if that scares you, it's not a big deal (again, because the attack surface area would be limited by the fact that whatever "hijacks" your container, it would be contained to that container).

Phew

Hope it makes sense @pawelmalak

pawelmalak commented 2 years ago

Is specifying user on the building stage also required?

JaneJeon commented 2 years ago

Not necessarily, but I do it anyway for consistency. Plus there are... "issues" stemming from who owns what if you create assets as root, but this is out of my depth of expertise so Google will serve you better than I can.

pawelmalak commented 2 years ago

It seems that I have to run builder as a root user, otherwise React build fails. Final stage with node user works fine.